ASA-201807-2 original external raw

[ASA-201807-2] git-annex: multiple issues
Arch Linux Security Advisory ASA-201807-2 ========================================= Severity: High Date : 2018-07-04 CVE-ID : CVE-2018-10857 CVE-2018-10859 Package : git-annex Type : multiple issues Remote : Yes Link : Summary ======= The package git-annex before version 6.20180626-1 is vulnerable to multiple issues including arbitrary filesystem access and information disclosure. Resolution ========== Upgrade to 6.20180626-1. # pacman -Syu "git-annex>=6.20180626-1" The problems have been fixed upstream in version 6.20180626. Workaround ========== None. Description =========== - CVE-2018-10857 (arbitrary filesystem access) Some uses of git-annex were vulnerable to a private data exposure and exfiltration attack. It could expose the content of files located outside the git-annex repository, or content from a private web server on localhost or the LAN. - CVE-2018-10859 (information disclosure) A malicious server for a special remote could trick git-annex into decrypting a file that was encrypted to the user's gpg key. This attack could be used to expose encrypted data that was never stored in git- annex Impact ====== A remote attacker is able to read arbitrary files on the filesystem or decrypt encrypted files by modifying the git-annex repository. References ==========